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Abstract. We introduce the linear centralizer method for a passive adversary to extract the shared 
key in group-theory based key exchange protocols (KEPs). We apply this method to obtain a polyno- 
mial time cryptanalysis of the Commutator KEP, introduced by Anshel-Anshel-Goldfeld in 1999 and 
considered extensively ever since. We also apply this method to the Centralizer KEP, introduced by 
Shpilrain-Ushakov in 2006. Our method is proved to be of polynomial time using a technical lemma 
about sampling invertible matrices from a linear space of matrices. 



1 Introduction 

Key Exchange Protocols (KEPs) make it possible for two electronic entities, Alice and Bob, to 
establish a shared secret key over a public communication channel. Since Diffie and Hellman's 
1976 breakthrough KEP, few alternative KEP proposals resisted cryptanalysis. This, together 
with the (presently, theoretical) issue that the Difiie-Hellman and other classic KEPs can 
be broken in polynomial time by quantum computers, is a strong motivation for searching 
for substantially different KEPs. Lattice-based KEPs [29] seem to be a viable potential 
alternative. Both the classic KEPs and the Lattice-based ones are based on commutative 
algebraic structures. 

In 1999, Anshel, Anshel, and Goldfeld [2] (cf. [3]) introduced the Commutator KEP, a gen- 
eral method for constructing KEPs based on noncommutative algebraic structures. Around 
the same time, Ko, Lee, Cheon, Han, Kang, and Park [19] introduced the Braid Diffie- 
Hellman KEP, another general method achieving the same goal. The security of both KEPs 
is based on variations of the Conjugacy Search Problem (CSP): Given conjugate elements 
g,h in a noncommutative group, find x in that group such that x~^gx = h. Both papers [2] 
and [19] proposed to use the braid group Bat, a finitely presented, infinite noncommutative 
group parameterized by a natural number N, as the platform group. 

The introduction of the Commutator KEP and the Braid Diffie-Hellman KEP was fol- 
lowed by a stream of heuristic attacks (e.g., [H], [IS], [22], [B], [S], [21], [10], [II], [IS], [23], 
[25], [27], [28])£| demonstrating that the weak keys of these KEPs constitute a substantial 
portion of the key space, or more precisely, that the two most natural distributions on the 
braid group B n seem to give rise to insecure KEPs. Consequently, a program was set forth, 
by several independent research groups, to find an efficient way to sample hard instances of 
the underlying computational problems (e.g., [23], [20], [12], [I])- 

Most of the mentioned heuristic attacks address the Commutator KEP, and not the Braid 
Diffie-Hellman KEP. The reason is that in 2003, Cheon and Jun published a polynomial time 
cryptanalysis of the Braid Difiie-Hellman KEP, using an ingenious representation theoretic 



^ Surveys of some of the heuristic attacks are provided in Dehornoy [7] and Garber [8]. 
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method [B]. In their paper, Cheon and Jun stress that their cryptanalysis does not apply 
directly to the Commutator KEP. Thus far, no polynomial time attack was found on the 
Commutator KEP, whose success does not depend on the distributions used to generate 
the random group elements. The main result of the present paper is a Las Vegas, provable 
polynomial time cryptanalysis of the Commutator KEP [2] , in the passive adversary model, 
that succeeds regardless of the distributions used to generate the keys. This cryptanalysis 
constitutes a polynomial time solution of the underlying computational problem. 

The methods developed for the new cryptanalysis are applicable to additional KEPs in 
the context of group-based cryptography. We present an application of these methods to the 
Centralizer KEP, introduced by Shpilrain and Ushakov in 2006 [33] , to obtain a polynomial 
time attack. This is the first cryptanalysis, of any kind, of the Centralizer KEP. 

We stress that the Cheon and Jun cryptanalysis and the ones presented here, while of 
polynomial time, are impractical for standard values of N (e.g., = 100). These results 
are of theoretic nature. Ignoring logarithmic factors, the complexity of our cryptanalyses is 
about A^^^, times a cubic polynomial in the other relevant parameters. Incidentally, though, 
these cryptanalyses establish the first provable practical attacks in the case where the index 
N of the braid group B^v is small, e.g., when N = 8. 

Section 2 introduces the Commutator KEP and the braid group. In Section 3, we eliminate 
a technical complexity theoretic obstacle. Section 4 applies a method of Cheon and Jun to 
reduce our problem to matrix groups over finite fields. Section 5 is the main ingredient of 
our cryptanalysis, cryptanalyzing the Commutator KEP in matrix groups. Section 6 fills a 
gap in our proof, by applying the Schwartz-Zippel Lemma to obtain a lower bound on the 
probability that certain random matrices are invertible. Section 7 is a cryptanalysis of the 
Centralizer KEP, using the methods introduced in the earlier sections. Some final comments 
and additional applications are provided in Section 8. 

2 The Commutator KEP and the braid group B^r 

We will use, throughout, the following basic notation. 

Notation 1 For a noncommutative group G and group elements g,x ^ G, g^ := x~^gx, the 
conjugate of g by x. 

Useful identities involving this notation, that are easy to verify, include g^"^ = {g^y, and 
g'^ = g for every central element c & G, that is, such that ch = he for all h & G. 
The Commutator KEP [2] is described succinctly in Figure [T]I^ In some detail: 

1. A noncommutative group G and elements ai, . . . , Cfc, 6i, . . . , 6^ G G are publicly givenjf] 

2. Ahce and Bob choose free group words in the variables Xi,...,Xk, v{xi, . . . ,Xk) and 

. . . , Xfc), respectively|3 

3. Alice substitutes ai, . . . , a/; for xi, . . . , x^, to obtain a secret element a = v{ai, . . . , a^) e 
G. Similarly, Bob computes b = w{bi, . . . ,bk) ^ G. 

^ In our diagrams, green letters indicate publicly known elements, and red ones indicate secret elements, known only 
to the secret holders. Results of computations involving elements of both colors may be either publicly known, or 
secret, depending on the context. The colors are not necessary to follow the diagrams. 

^ By adding elements, if needed, we assume that the number of ai's is equal to the number of b^'s. 

* A free group word in the variables xi, . . . , is is a product of the form x^^x^^ ■ ■ ■ x^^ , with ii, . . . ,im £ {1, . . . ,k} 
and ei, . . . , Em £ {1, ^1}, and with no subproduct of the form XiX~^ or x~^Xi. 
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4. Alice sends the conjugated elements 61", . . . , 6^" to Bob, and Bob sends ai'', . . . , a^^ to 
Alice. 

5. The shared key is the commutator a~^h~^ab. 

As conjugation is a group isomorphism, we have that 

u(ai^, . . . , a^^) = v{ai, . . . , a^Y = = b^^ab. 

Thus, Alice can compute the shared key a~^b~^ab as a~^v{ai' , . . . ^au'), using her secret 
a, ^(xi, . . . , Xfc) and the public elements ai^, . . . , a/c''. Similarly, Bob computes a~^b~^ab as 

Alice Public Bob 

v{xi, . . . ,Xk) € Fk ai,...,akeG w^xi, . . . , Xk) € Fk 

a = v{ai, . . . ,ak) 6i,...,6fcGG b = w{bi, . . . ,bk) 

1 a r o. 

Ol , ■ ■ ■ , Ofc 

ai ,...,ak 



a-^b-^ab = a-^v{ai\ ak) a'^b-^ab = w(bi'', . . . , bfe")"^?) 

Fig. 1. The Commutator KEP 

For the platform group G, it is proposed in [2] to use the braid group B^v, a group 
parameterized by a natural number A^. The interested reader will find detailed information 
on Btv in almost each of the papers in the bibliography. We quote here the information 
needed for the present paper. 

Let Sn be the symmetric group of permutations on A^ symbols. For our purposes, the 
braid group B^v is a group of elements of the form 

(^,P), 

where i is an integer, and p is a finite (possibly, empty) sequence of elements of S^, that 
is, p = (pi, ■ ■ ■ yPi) for some i > and pi, . . . ,pe G Sn- The sequence p = {pi, ■ ■ ■ ,pe) is 
requested to be left weighted (a property whose definition will not be used here), and pi 
must not be the involution p{k) = n — ku 

Elements of B^r are called braids, for they may be identified with braids on A^ strands. 
This identification, however, will play no role in the present paper. For "generic" braids 
(i, (pi, . . . ,pe)) G Bat, i is negative and \i\ is 0{i), but this is not always the case. Note that 
the bitlength of an element {i, {pi, . . . ,pi)) G Bat is 0(log |z| + £A^log A^). 

^ For readers familiar with the braid group, we point out that the sequence (i, (pi, . . . ,pi)) codes the left normal 
form Zi'pi ■ ■ - pe of the braid, in Artin's presentation, with A being the fundamental, full twist braid. 
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Multiplication is defined on B^r by an algorithm of complexity O {i^N log N + logl^l). 
Inversion is of linear complexity. Explicit implementations are provided, for example, in [5]. 

For a passive adversary to extract the shared key of the Commutator KEP out of the 
public information, it suffices to solve the following problem. 

Problem 2 (Commutator KEP Problem) Let ai, . . . ,ak,bi, . . . ,bk G Btv, each of the 
form (z, p) with p of length < i. Let a be a product of at most m elements of {ai, . . . , ak}"^^, 
and let b be a product of at most m elements of {bi, . . . , b^}^^ ■ 
Given Oi, . . . , a^, 6i, . . . , 6^., aj, . . . , a\, b^, . . . , b^, compute a~^b~^ab. 

Our solution of Problem [2] consists of several ingredients. 
3 Reducing the infimum 

The infimum of a braid b = {i, p) is the integer inf (6) := i. As the bitlength of b is 0(log \i\ + 
£A^log A^), an algorithm polynomial in |i| would be at least exponential in the bitlength. We 
first remove this obstacle. 

In cases where p is the empty sequence, we write (i) instead of {i,p)- The properties of 
Btv include, among others, the following ones. 

(a) (i) ■ (j, p) = (i + j, p) for all integers i and all (j, p) G B^r. 
In particular, (i) = (1)* for all i. 

(b) (2) ■ (i, p) = (i, p) ■ (2) for all for all {i, p) E Bj^. 

Thus, (2j) is a central element of B^r for each integer j. If follows that, for each [i, p) G B^r, 



This way, every braid 6 G B^r decomposes to a product cb, where c is of the form (2j) (and 



Consider the public information in Figure [H For each j = 1, . . . , k, decompose as above 



{i, p) = {i — {i mod 2)) ■ {i mod 2, p). 



thus central), and inf(&) G {0, 1}. 




with Cj, dj central and inf (oj), inf G {0, 1} for all j = 1, 



, k. Let 



a 



v[ai, . . . ,afcj; 
w{bi, . . .,bk); 
v{ci, . . . ,Cfe); 
w{di, . . . ,4). 



b 



a 



d 



As the elements Cj, dj are central, we have that 



a = v{ci ^ai, . . . , ^Ofc) = v{c^ \ . . . , c^, ^) ■ v{ai, . . . , a^) = c ^a. 



Similarly, b = d ^6. As c and d are central. 



b 
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for all j = 1, . . . ,k. Thus, can be computed for all j. Similarly, can be computed. Now, 

a~^b~^ab = {cd)~^{db)~^{ca){db) = c~^b~^ cddb = d~^b~^db. 

This shows that the Commutator KEP Problem is reducible, in linear time, to the same 
problem using di, . . . ,dk,bi, . . . ,bk instead of ai, . . . , ak, bi, . . . , bk- Thus, we may assume 
that 

inf(ai), . . . ,inf(afc),inf(6i), . . . ,inf(&fc) e {0, 1} 

to start with. Assume that henceforth. 

For a braid x = {i,p), let i{p) be the number of permutations in the sequence p. For 
integers i,s, let 

[i, s] = {x E Bat : i < inf(a;) < inf (x) + i{x) < s}. 
We use the following basic facts about Bjy: 

1. If Xi e [ii, si] and X2 E [z2, ^2], then X1X2 E [ii + 12, Si + S2]. 

2. If X G [i, s], then x~^ G [—i — s, —i]. 

Thus, for each x G {ai, . . . , a^, 61, . . . , fefc}^^, x"^^ G [—i — l,i + 1], and therefore, in the 
notation of our problem, a, 6 G [—m{i + l),m{£ + 1)]. Thus, 

a-^b'^ab G [-4m(£ + 1), 4m(^ + 1)]. 

Corollary 3 In the Commutator KEP Problem, a^^b^^ab G [— 4m(£ + l),4m(£+ 1)]. 



4 Reducing to a matrix group over a finite field 

Let n be a natural number. As usual, we denote the algebra of all x n matrices over a 
field F by M„(F), and the group of invertible elements of this algebra by GL„(F). A matrix 
group is a subgroup of GL„(F). A faithful representation of a group G in GL„(F) is a group 
isomorphism from G onto a matrix group H < GL„(F). A group is linear if it has a faithful 
representation. 

Bigelow and, independently, Krammer, established in their breakthrough papers [1] , [2T] 
that the braid group Bat is linear, by proving that the so-called Lawrence-Krammer repre- 
sentation 

LK:B^^GL^.v^(Z[t±\^]), 



whose dimension is 

n 



2 

is injective|§ The Lawrence-Krammer representation of a braid can be computed very effi- 
cientlylll It is proved implicitly in [21], and explicitly in [6], that this representation is also 
invertible in polynomial time. The following result follows from Corollary 1 of [6]. 

Theorem 4 (Cheon— Jun [6J) Let x G [i, s] in Bjy. Let M > max(— i, s). Then: 



^ Bigelow proved this theorem for the coefficient ring Z[t^^,q^^] with two variables. Krammer proved, in additiona, 
that one may replace q by any real number from the interval (0, 1). 

When the infimum i is polynomial in the other parameters, which we proved in Section [3] that we may assume. 
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1. The degrees oft m LK(x) G GL„(Z[t±\ \]) are m {-M, -M + 1, . . . , M}. 

2. The rational coefficients ^ in LK(a;) (c integer, d nonnegative integer) satisfy: \c\ < 
2^'*^ \d\ < 2NM. 

In the notation of Theorem HI Theorem 2 in Cheon-Jun [6] imphes that inversion of 
LK(a;) is of order N^logM muhiphcations of entries. Ignoring logarithmic factors and thus 
assuming that each entry multiplication costs NM ■ N'^M = N'^M'^, this accumulates to 
N^M"^. This complexity is dominated by the complexity of the linear centralizer step of our 
cryptanalysis (Section |5]). 

Let us return to the Commutator KEP Problem [2j By Corollary [3], 

K := a-^b'^ab G [-Am{i + 1), 4m(£ + 1)]. 
Let M = Am{i + 1). By Theorem HI we have that 

^2^NM^M-^ . LK{K) G GL„(Z[t]), 

the absolute values of the coefficients in this matrix are bounded by 2^'(*'^+i\ and the 
maximal degree of t in this matrix is bounded by 2M. 

Let p be a prime slightly greater than 2^ and f{t) be an irreducible polynomial over 
Zp, of degree d slightly larger than 2M. Then 

^2^NM^Ai^ . LK{K) = ■ LK{K) mod {p, /(t)) G GL„(Z[t]/(p, /(t))), 

under the natural identification of { — {p — l)/2, . . . , (p — l)/2} with {0, ... ,p — 1}. 

Let F = Z[t]/{p, f{t)) = Z[t^\ /(^))- ^ is a finite field of cardinality where d is 

the degree of f(t). It follows that the complexity of field operations in F is, up to logarithmic 
factors, of order 

d^ogp = 0{M^N^) = 0{m^fN'^). 
Thus, the key K can be recovered as follows: 

1. Apply the composed function LK(x) mod (p, f{t)) to the input of the Commutator KEP 
Problem, to obtain a version of this problem in GL„(F). 

2. Solve the problem there, to obtain LK{K) mod {p, f{t)). 

3. Compute {2^^^H^^) ■ LK{K) mod {p, f{t)) = {2^^^H^') ■ LK{K). 

4. Divide by {2'^^^H^'^) to obtain LK(V). 

5. Compute K using the Cheon-Jun inversion algorithm. 

It remains to devise a polynomial time solution of the Commutator KEP Problem in matrix 
groups. 

5 Linear centralizers 

In this section, we solve the Commutator KEP Problem in matrix groups. We first state the 
problem in a general form. As usual, for a group G and elements gi, . . . , gk & G, {gi, . . . , gk) 
denotes the subgroup of G generated by (?!,..., gf^. 

Problem 5 (Commutator KEP Problem) Let G he a group. Let ai, . . . ,ak,bi, . . . ,bk G 
G. Let a G (ai, . . . ,ak),b G . . . ,bk). 

Given ai, . . . , a^, 6i, . . . , 6^, a^, . . . , a^, 6", . . . , b^, compute a^^b^^ab. 
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We recall a classic definition. 
Definition 6 Let S C M„(F) be a set. The centralize! of S (in M„(F)j is the set 

C{S) = {ce M„(F) : cs = sc for all s G S}. 
For Ofc G M„(F), C({ai, . . . , Ofc}) is also denoted as C{ai, . . . , a^). 

Basic properties of C{S), that are easy to verify, include: 

1. C{S) is a vector subspace (indeed, a matrix subalgebra) of M„(F). 

2. C(C(5)) D 5. 

3. C{S) = C(span^). 

4. If 5 C GL„(F), then C{S) = C{{S)), where (S) is the subgroup of GL„(F) generated by 
S. 

A key observation is the following one: Let be a vector subspace of M„(F), and G < 
GL„(F) be a matrix group such that flG is nonempty. It may be computationally infeasible 
to find an element in ^ fl G. However, it is easy to compute a basis for V (lU for any vector 
subspace U of M„(F). In particular, this is true for U = C{C{G)), that contains G. In certain 
cases, as the ones below, a "random" element in H G{G{G)) is as good as one in ^ fl G. 

Following is an algorithm for the Commutator KEP Problem in a matrix group G < 
GLn(F). The analysis of this algorithm is based on the forthcoming Lemma O To this end, 
we assume that |F|/n > c > 1 for some constant c. In the above section, |F|/n is at least 
exponential. Fix a finite set S C F of cardinality greater than cn (the larger the better), that 
can be sampled efficiently. In the most important case, where F is a finite field, take = F. 
By random element of a vector subspace V of M„(F), with a prescribed basis {vi, . . . ,Vd}, 
we mean a linear combination 

aivi H h akVk 

with ai, . . . ,ak E S uniform, independently distributed. 

It is natural to split the Commutator KEP Problem and the algorithm for solving it into 
an offline (preprocessing) phase and an online phase. 

Algorithm 7 

Offline phase: 

1. Input: bi, . . . ,bk E G . 

2. Execution: 

(a) Compute a basis S = {si, . . . , s^} for G{bi, . . . ,bk) , by solving the following homoge- 
neous system of linear equations in the entries of the unknown matrix x: 

bi ■ X = X ■ bi 
bk-x = x -bk. 

(b) Compute a basis for G{S) = G{G{bi, . . . ,bk)), by solving the following homogeneous 
system of linear equations in the n"^ entries of the unknown matrix x: 

Si ■ X = X ■ Si 
Sd- X = X- Sd- 
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3. Output: A basis for C{C{hi, . . . , hk))- 
Online phase: 

1. Input: ai, . . . , afc, 6i, . . . , fefc, a?, • • • , flfc, fc?, • • • , G where ae {ai, . . . ,ak),b e {hi, . . . M) 
are unknown. 

2. Execution: 

(a) Solve the following homogeneous system of linear equations in the n? entries of the 
unknown matrix x: 

hi ■ X = X - hi"" 
bk-x = x ■ hk". 

(b) Fix a basis for the solution space, and pick random solutions x until x is invertible. 

(c) Solve the following homogeneous system of linear equations in the n? entries of the 
unknown matrix y: 

ai-y = y-ai^ 

ak-y = y- cik'', 

subject to the linear constraint that y G C{C{bi, . . . ,bk)). 

(d) Fix a basis for the solution space, and pick random solutions y until y is invertible. 

(e) Output: x~^y~^xy. 

Let u be the matrix multiplication constant, that is, the minimal such that matrix mul- 
tiplication is 0{n'^~^°^^^). For our applications, one may take to = logg 7 ~ 2.81. As usual. Las 
Vegas algorithm means an algorithm that always outputs the correct answer in finite time. 
For the proof of the following theorem, note that if g^ = g^, then g^^ = g, or in other 
words, xy~^ commutes with g. 

Theorem 8 Assume that \¥\/n > c > 1 for some constant c, and k < . Algorithm^is a 
Las Vegas algorithm for the Commutator KEF Froblem, with running time, in units of field 
operations: 

1. Offline phase: 0{n'^'^+^). 

2. Online phase: O^kn^"^). 

Froof. We use the notation of Algorithm [71 First, assume that the algorithm terminates. We 
prove that its output is a~^b~^ab. 

x~^y~^xy = x~^y~^{xa~^)ay. 

The equations (2) (a) in the online phase of Algorithm [7] assert that bi^ = bi^ for all i = 
1, . . . ,k. Thus, xa~^ G C{bi, . . . , bk). As ?/ G C{C{bi, . . . , bk)), y commutes with xa~^, and 
therefore so does y~^. Thus, 

x~^ y~^ {xa~^)ay = x~^{xa^^)y^^ay = a^^y^^ay = a~^a^. 

By the equations (2)(c) in the online phase of Algorithm [TJ = Oj'' for all i = 1,. . . ,k. 
As a G (ai, . . . , a/c), we have that = a^. Indeed, let a = a^J ■ ■ ■ a^™. As conjugation is an 
isomorphism, 

«^ = Kr ■ ■ ■ (at:)' = Kr ■ ■ ■ (air- = (air ■ ■ ■ (air- = ■ ■ ■ {<4zf = «^ 
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Thus, 

Running time, offline phase: (2) (a) These are kn"^ equations in n"^ variables, and thus the 
running time is 0{k{'n?)^) = 0{kn'^'^). 

(2)(b) As C(6i, . . . , bk) is a vector subspace of M„(F), its dimension d is at most n^. Thus, 
the running time of this step is 0(n^ ■ n^'^) = 0(n^'^"''^). 

Running time, onhne phase: (2) (a) As in (2) (a) of the offline phase. 

(2)(b) There is an invertible solution to the equations (2) (a), namely: a. Thus, by the 
Invertibility Lemma |9l the probability that a random solution is not invertible may be 
assumed arbitrarily close to?7,/|F|<l/c<l. Thus, the expected number of random elements 
picked until an invertible one was found is constant. To generate one random element, one 
takes a linear combination of a basis of the solution space. If d is the dimension, then d <n^ 
and the linear combination takes d'n? < operations. Checking invertibility is faster. The 
total expected running time of this step is, therefore, 0{n^), and n"* < n^'^. 

(2)(c) Recycling notation, let {si,...,Sd} be the basis computed in the offline phase. 
Then d < n^. In the present step, one sets y = tiSi + ■ ■ ■ + t^Sd, with ti, . . . ,td variables, and 
obtains kn"^ equations in the d < variables ti, . . . ,td- The complexity is 0(^(i'^), and 
^rf" = kn^ ■ rf^-i < kn^'^. 

(2)(d) Similar to (2)(b). 

6 Finding an invertible solution when there is one 

The results in the previous section assume that we are able to find, efflciently, an invertible 
matrix in any subspace of M„(F) containing an invertible element. This is taken care of by 
the following Lemma. 

Lemma 9 (Invertibility Lemma) Let G M„(F) be such that 

spanjai, . . . , a^} H GL„(F) 7^ 0. 

Let S be a finite subset of ¥. If ai, . . . , am are chosen uniformly and independently from S , 
then the probability that aiOi + ■ ■ ■ + ctmOm is invertible is at least 1 — 

Proof. Let 

f{ti, ...,tm) = det(tiai H h t ) e¥[ti,...,tm], 

where ti, . . . ,tm are scalar variables. This is a determinant of a matrix whose coefflcients are 
linear in the variables. By the definition of determinant as a sum of products of n elements, 
/ is a polynomial of degree n. As span{ai, . . . , a^} fl GL„(F) 7^ 0, / is nonzero. Apply the 
Schwartz-Zippel Lemma [TUl 

For the reader's convenience, we include a proof for the following classic lemma. 

Lemma 10 (Schwartz— Zippel) Let f{ti, . . . , tm) G F[ti, . . . , tm] be a nonzero multivariate 
polynomial of degree n. Let S be a finite subset of¥. . . . , am are chosen uniformly and 

independently from S , then the probability that f{ai, . . . , a^) is at least 1 — t^. 
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Proof. By induction on m. If m = 1, then / is a univariate polynomial of degree n, and thus 
has at most n roots. 
m > 1: Write 

/(tl, . . . , t„J = /o(t2; • • • ; tm) + /l(^2; • • • ; ^m)^l + /2(^2; • • • ; ^m)^l + " " " + fkih, • • • ; ^m)^l; 

with k < n maximal such that fk{t2, ■ ■ ■ ,tm) is nonzero. The degree of fk{t2, ■ ■ ■ ,tk) is at 
most m — k. For each choice of «2, . . . , Oim € F with fk{c(2, ■ ■ ■ , dm) 7^ 0, f(ti, 02, . • • , Om) 
is a univariate polynomial of degree k in the variable ti. By the induction hypothesis (for 
m = 1), for random ai G S", /(ai, 02, • • • , Om) is nonzero with probability at least 1 — k/\S\. 
By the induction hypothesis, 

Pr[/(ai,...,«J ^0] > 

> Pr[/fc(a2, • • • ,am) 7^ O] ■ Pr[/(ai, . . . ^ | /fc(a2, • • • 7^ O] > 
/ n — k\ f k \ n 

7 Application to the Centralizer KEP 

Definition 11 For a group G and an element g G G, the centralizer of (7 in G is the set 

Ccig) :={heG : gh = kg}. 

The Centralizer KEP, introduced by Shpilrain and Ushakov in 2006 [33], is described in 
Figure El In this protocol, ai commutes with bi and 02 commutes with 62- Consequently, the 
keys computed by Alice and Bob are identical, and equal to ai^i (702^2 • 

Alice Public Bob 

ai £G g £G 62 eG 

gi,...,gk e Coiai) 





hi, . 


..,hk£ Cg(&2) 


02 e {hi, . 


■ ■,hk) 


hi e (ffi 






aiga2 


bigb2 



K = aibigb2a2 K = biaiga2b2 

Fig. 2. The Centralizer KEP 

As in the Commutator KEP, it is proposed in [33] to use the braid group B^v as the 
platform group G. The group elements are chosen in a special way, so as to foil attacks 
attempted at earlier braid group based KEPs. We apply the methods developed in the 
previous sections to obtain a polynomial time cryptanalysis of this KEP. We omit some 
details, that are similar to those in the earlier sections. 
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Problem 12 (Centralizer KEP Problem) Assume that g,ai,b2 G B^r, gi, ■ ■ ■ ,gk ^ C'batI'^i)? 
hi, . . . ,hk G Cbjv(^2)j eac/i 0/ i/ie form (i, p) wzi/i p of length < i. Let 02 be a product of 
at most m elements of {hi, . . . , hk}"^^ , and let hi be a product of at most m elements of 
{gu ■ ■ ■ , gk}"^^ ■ 

Given g,gi, . . . , g^, hi, . . . , hk,aiga2,bigb2, compute aibiga2b2. 

7.1 Solving the Centralizer KEP Problem in matrix groups. 

For a group G, Z{G) = Gg{G) is the set of all central elements of G. Consider the Centralizer 
KEP Problem [T2] in G < GL„(F) instead of Bat. The following variation of this problem is 
formally harder. 

Problem 13 Let G < GL„(F). Assume that g, ai, b2 E G, gi, . . . , gu G Gg{cli), /ii, . . . , /ifc G 
Cg(&2), a2 G {{hi,...,hk}UZ{G)), and bi G {{gi, . . . , gu} U Z{G)) . 
Given g,gi, . . . , g^, hi, . . . , hk,aiga2,bigb2, compute 01615(0262 ■ 

Following is an algorithm for solving it. As before, for 5* C M„(F), G{S) (without sub- 
script) is the centralizer of S in the matrix algebra Mn(F). 

Algorithm 14 

1. Input: g,gi,..., gk, hi,..., h^, aiga2, 61562 G G. 

2. Execution: 

(a) Compute bases for the subspaces G{gi, gk) , G{C{hi, . . . ,hk)) o/M„(F). 

(b) Solve 

X ■ g = 01502 ■ y 

subject to the linear constraints x G G{gi, . . . , gk),y G G{G{hi, . . . , hk))- 

(c) Take random linear combinations of the basis of the solution space to obtain solutions 
{x,y), until y is invertible. 

3. Output: X ■ 61562 ■ y~^ . 

Theorem 15 LetG < GL„(F). Assume that \¥\/n > c > 1 for some constant c, and k < . 
Algorithm\n\ is a Las Vegas algorithm for Problem [73| with running time, in units of field 
operations, 0{n'^^'^'^). 

Proof. The proof is similar to that of Theorem [Hi 

First, assume that the algorithm terminates. We prove that its output is 016150262. As 
X G C(5i, . . . ,gk) and 61 G (51, ... , gk), x commutes with 61. As 62 commutes with hi, . . . ,hk, 
62 G G{hi, . . . , hk). As y & G{C{hi, . . . , h^)), y commutes with 62, and therefore so does y~^ . 
Thus, 

xbigbiy"^ = bixgy~%. 
As xg = 015022/, xgy^^ = 01502. Thus, 

bixgy~^b2 = 61O150262 = 016150262. 

Running time: (2) (a) We are solving kn^ equations in variables, and then at most 
equations in variables. This is 0{n'^^'^'^). 

(2)(b) We are solving equations in 2n? variables, which is 0{n'^'^). 
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(2)(c) Let 

H = {{x,y) e C{gi, . . . , g,,) x C{C{hi, . . . , hk)) : x ■ g = aiga2 ■ y} 

be the solution space, and let . . . , {xd,yd) be a basis for H. As -ff is a subspace of 

M„(F) X M„(F), d < 271^. Let H2 = {y : {x,y) G H}, the projection of H on the second 
coordinate. Then 

H2 = span{|/i, ...,yd}. 

(fli, a2^) E H, and thus G H2. In particular, there is an invertible element in H2. By the 
Invertibility Lemma[9l a random linear combination of yi, . . . , is invertible with probability 
at least 1/c. The total expected running time of this step is, therefore, 0{n^), and < ri^^ . 

7.2 Infimum reduction. 

In Section [31 we explained how each x e B^r can be decomposed (in linear time) as x = cx 
with c central and inf(x) G {0, 1}. 
We may assume that 

inf((7)G{0,l}. 

Indeed, assume that we have an algorithm solving the problem when i'n.{{g) G {0, 1}. Write 
g = eg with c central and ini{g) G {0, 1}. Compute 

c^^aiga2 = aic~^ga2 = 01^02; 
c~^bigb2 = bic~^gb2 = bigb2. 

Apply the given algorithm to g,gi, . . . , g^, hi, ... , hk, aiga2, bigb2, to obtain 0161^0262- Mul- 
tiply by c to obtain aibiga2b2. 
Next, we may assume that 

mi{gi), . . . ,inf(5(fc),inf(/ii), . . . ,mi{hk) G {0, 1}, 

since when we apply Algorithm [T3] in the image of our group in a matrix group, we have in 
Problem [13] that 

{{hi, ...,hk}U Z{G)) = {{h, ...,hk}^ z{G)y, 
{{gi, ...,gk}lJ Z{G)) = {{~gi, ...,h}^ 2(0)). 

As in Section [3l it follows that 

02,^1 e [-m{i + l),m{i + l)]. 

Let u = aiga2 and v = bigb2. Decompose u = cu and v = dv with c, d central and 
inf (£t), inf(C) G {0, 1}. As G [0, ^ + 1] and ai G [inf(ai), inf(ai) + £], 

u = aiga2 G [inf (ai), inf (ai) + {m + 1){£ + 1) + £], 

and thus 

aig{c-^a2) = u G [0, (m + !){£ + 2)]; 
c-^ai = ua2^g~^ G [-(m + !){£ + 1), (m + 1){2£ + 3)]. 
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Similarly, 

id-%)gb2 = ^ G [0, (m + 1){£ + 2)]. 

Finally, 

K' := ai{d-%)gb2{c-^a2) = aiv{c-^a2) = {c-^ai)va2 G [-(m + 2){i + 1), (m + + 6)]. 

Let M = (m + 2)(4£ + 6). Continue as in Section O 
By Theorem m we have that 

^2^NM^M^ . LK{K') e GL„(Z[t]), 

the absolute values of the coefficients in this matrix are bounded by 2^'(^^+i), and the 
maximal degree of t in this matrix is bounded by 2M. Let p be a prime slightly greater than 
2^ and f(t) be an irreducible polynomial over Zp, of degree d slightly larger than 2M. 
Then 

(22iVM^M) . LK(i^') = (22^^t^) ■ LK{K') mod (p, /(t)) G GL„(Z[t]/(p, /(t))), 

under the natural identification of { — {p — l)/2, . . . , (p — l)/2} with {0, . . . ,p — 1}. Let 
F = Z[t]/{pJ{t)) = Z[t^^, l]/{p,f{t)). F is a finite field of cardinality where d is the 
degree of f(t). It follows that the complexity of field operations in F is, up to logarithmic 
factors, of order 

d'^logp = 0{M^N'^) = Oim^tN'^). 
Thus, the key K can be recovered as follows: 

1. Apply the composed function LK(x) mod (p, fit)) tog, gi, . . . , g^, hi, . . . , hk, u = aig{c^^a2),v = 
{d^^bi)gb2, to obtain an input to Problem [T^ 

2. Solve the problem there, to obtain LK{K') mod {p, f{t)). 

3. Compute {2^^^H^'^) ■ LK{K') mod (p, f{t)) = {2?^^H^'^) ■ LK(i^'). 

4. Divide by {2'^^^H^') to obtain hK{K'). 

5. Compute K' using the Cheon-Jun inversion algorithm. 

6. Multiply by cd to obtain aibiga2b2- 

8 Final comments 

Ignoring logarithmic factors, the overall complexity of both cryptanalyses presented here is 
^2uj+2 _ jY4w+4 ggj^ operations, that are of complexity m^i^N'^. Thus, the complexity is 

ignoring logarithmic factors. While polynomial, this complexity practical only for braid 
groups of small index A^. However, even the problems of finding polynomial time attacks 
on the Commutator KEP or on the Centralizer KEP were open up till now. 

The methods introduced here are also applicable for crypt analyzing other KEPs. For 
example, the Invertibility Lemma can be used to turn both the Cheon-Jun cryptanalysis of 
the Braid Diffie-Hellman KEP [6] and the Shpilrain cryptanalysis of Stickel's KEP [3Tj into 
Las Vegas algorithms of expected polynomial time. Our infimum reductions can be applied 
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to the Cheon-Jun attack to eliminate the exponential dependence on the bitlength of the 
infimum, a technical issue that was apparently not treated thus far. 

The major challenge is to reduce the degree of N in the polynomial time cryptanaly- 
ses. By Chinese Remaindering or p-adic lifting methods, it may be possible to reduce the 
complexity contributed by the field operations. Apparently, this may reduce the power of 

by 1. It should be possible to make sure that the Invertibility Lemma is still applicable 
when these methods are used. Much of the complexity comes from the Lawrence-Krammer 
representation having dimension quadratic in A^. It may well be that there are no faithful 
representations of Bat of smaller dimension. Finally, a more careful analysis of the Lawrence- 
Krammer representation may make it possible to obtain finer estimates. However, it does 
not seem that any of these directions would make the attacks practical for, say, A^ = 100. 

One may wonder whether, from the CS theory point of view, this paper may end up braid- 
based cryptography. My belief is that this is not the csae. I do not at present know whether 
Kurt's Triple Decomposition KEP [261 4.2.5] can be cryptanalyzed using the methods pre- 
sented here. Additional KEPs to which the present methods do not seem to be applicable 
are introduced by Kalka in [T7j and [TS]. Moreover, there are additional types of braid-based 
schemes (e.g., authentication schemes), that cannot be attacked using the methods presented 
here. Some examples are reviewed in the monograph |26j . 

Changing the platform group in any of the studied KEPs is a very interesting option. 
There are efficiently implementable, infinite groups with no faithful representations as matrix 
groups. As for finite groups, I am pessimistic. For example, finite simple groups tend to 
be linear, by the classification of finite simple groups, and our method would reduce the 
cryptanalysis to the problem of finding an efficient linear representation. There are at present 
no signs that such representations must be harder to evaluate (or invert) than, say, solving 
the discrete logarithm problem in Z*. 
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